SBS 2003 Server must be rebooted every other day

I support a SBS 2003 server that is fully updated and patched. It was hacked into 9 days ago and used as a Spam relay. I have fixed that situation and cleared out over 200K messages that backed up in the queues.

I loaded always on Malwarebytes and saw it blocked outgoing connections for the first 4 days, but has not had any since then. I also blocked several sites in AU and at the Watchguard firewall that kept trying to get into the server. I have run several programs to look for rootkits, but found none.

Right now, The Exchange queues are fine, except maybe 4 or 5 random 'bogus' sites that appear daily with messages from our postmaster. The problem is: after about two days, activity on the LAN crawls to a halt. When you try to login to the server console, it takes over 15 minutes to show the desktop (either at the server or via TS.) After rebooting the server, login at the server is back to normal (within 30 seconds), and LAN traffic is fine. Maybe a day or two later, back to a crawl and server must be rebooted again.

I'm going onsite again right now to work on it. What would be my next steps?

One other oddity: In Exchange System Manager, when I go into properties of the Exchange server, and I click on the Diagnostics Logging tab (to look at something I read must be adjusted after this type of attack), the program completely hangs.

Thanks for the quick response! Kind of wierd way... this server was setup like all my others (but I do not classify myself as an expert.) The actual Exchange server is locked in the position I mentioned, but from memory I:
1) Properties of Default (and only) SMTP server
2) Access Tab, Relay button, only the list below was checked
3) 192.0.0.2 was in the list (which I usually do not have), along with the actual LAN IP
4) Deleted 192.

I have not been onsite when that happens. I am about to go onsite now. I was TS'ed in, but locked up the server going to the Exchange Diag Logging tab. Had to break the TS connection. Now server will not let me back in. I'll stay here 15 more minutes to answer questions (until 6:00 CT) before making the 40 minute drive to get onsite.

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Windows updates would work now & downloaded over 70 last night, but did not have time to re-install Exchange SP2.

Reviewed the Event Logs while waiting for all downloads; so many errors now. This used to be a very clean server. It is 5 years old & client would only have me review it every 6 months, but never problems like appear now. Makes me think a complete re-install of OS might be best thing, although would hate to do that and then find it is a hardware error.

We are just monitoring it right now. After a reboot, login at server console gets the desktop to appear within 25 seconds. If you then log out and try to log back in, desktop takes over 5 or 10 minutes to appear. This seems like the major problem to be tackled first. (it also makes me think it is not a hardware issue.) What should I do to try fixing this? Client will just reboot the server daily to keep office (with 20 PCs) running. Server access only degrades over a day or two; it has been stable for up to 20 hours after each reboot.

Exchange server seems fine now. Real problem was the hacker modified the DNS forwarder & one of the root hints. Once found & fixed; server acting much better, but not perfect. 2nd login to server after a reboot still takes 3 to 5 minutes, where 1st login after reboot takes 15 seconds.

0

Featured Post

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Servers >> Certificates…

To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it.
The vast majority of email clients display l…